Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday November 08 2015, @02:06PM   Printer-friendly
from the Wbuaal-qbrf-abg-rira-haqrefgnaq-EBG13 dept.

This paper presents the results of a laboratory study involving Mailvelope, a modern PGP client that integrates tightly with existing webmail providers. In our study, we brought in pairs of participants and had them attempt to use Mailvelope to communicate with each other. Our results shown that more than a decade and a half after "Why Johnny Can't Encrypt," modern PGP tools are still unusable for the masses. We finish with a discussion of pain points encountered using Mailvelope, and discuss what might be done to address them in future PGP systems.

The PDF of the study can be found here.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by frojack on Sunday November 08 2015, @06:51PM

    by frojack (1554) on Sunday November 08 2015, @06:51PM (#260437) Journal

    I'm pretty sure the GP has no idea about how it works and wasn't even aware there was a private key.

    Public keys are sent to key-servers, which replicate them around the world. 20 minutes after you publish your public key to one key server all the others have it. You can also attach them to the message. Distributing your public key is another thing that the Enigmail client takes care of.

    The upshot is the suggestion of loading all mail to a website that can decode it for the recipient is a non-starter. (Politest term I can think of).

    If the cloud can decrypt your mail, its hopelessly compromised.
    If the Cloud Can't decrypt your mail, there is no reason to have the cloud.

    This article was about Mailvelope, which is a browser extension to handle the decryption/encryption tasks. It wasn't a full blown mail package.
    It isn't the only such package out there that attempts to add encryption to web mail via browser plugins. Even google released a similar extension for chrome.

    In general, in-browser decryption/encryption is considered a bad idea, because browsers are so easily hacked. Still, a lot of people use browsers to read mail, and any opensource browser plugin is probably a good idea: As long as it does work.

    --
    No, you are mistaken. I've always had this sig.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Monday November 09 2015, @10:38AM

    by Anonymous Coward on Monday November 09 2015, @10:38AM (#260717)

    If the Cloud Can't decrypt your mail, there is no reason to have the cloud.

    Not true.

    • Sending data from one computer to another only works if both computers are switched on at the same time. The "cloud" (that is, the server in between; publicly accessible servers are much older that even the word "cloud") basically acts as a computer that normally is always-on.
    • Depending on the implementation and the number of people using the server, having a server in between can also hide which message is sent from whom to whom. All that can be seen from outside is that there were a bunch of people connecting to the server, while with a direct connection, anyone sitting in between can clearly see that there was a connection from the sender to the receiver.
    • (Score: 2) by frojack on Monday November 09 2015, @07:12PM

      by frojack (1554) on Monday November 09 2015, @07:12PM (#260862) Journal

      If the Cloud Can't decrypt your mail, there is no reason to have the cloud.

      Not true.

      Well, yes. clearly I meant there is no reason to have "the cloud" involved in email storage and retrieval as proposed by the GP.
      And no, the cloud can't hide who email is sent from and to, because that is all revealed to the each smtp mail server in the chain.

      Thank you Captain Pedantic.

      --
      No, you are mistaken. I've always had this sig.